Negligence or Human Error – Primary Cause of a Data Breach

Staffordshire University in UK reported that a laptop containing applicant information was stolen from a car belonging to a staff member. Due to the size of the data file, the information was held locally on the hard drive of the laptop. The specific information contained in the file included name, address, email, telephone numbers, offer decisions, ethnicity code and gender of applicants dating from 2006.

While notifying and apologizing to all affected parties of the breach, the university stressed that this was an exceptional incident and the laptop was password protected. The university also undertook actions to avoid such incidents in future. The actions included staff training and reminding them of their obligations to protect personal data and conducting a technical review of their security landscape.

According to a recent survey conducted by Ponemon institute with 40 companies across 12 industry sectors in UK, it was found that negligence or human error is the primary root cause of data breaches. 40% of incidents involve a negligent employee or contractor (human factor), 38 percent of incidents involve a malicious or criminal attack and 22% are due to system glitches, including a combination of both IT and business process failures.

The Survey further revealed that companies that experienced malicious or criminal attacks had per capita costs of £119, while companies experiencing system glitches or employee mistakes had a per capita cost ranging from £88 to £76. While the exfiltration of data by hackers or criminal insiders are more costly than incidents involving human error, having a strong security posture can reduce the average cost from £85 to £80 (decreased cost = -£15). In contrast, a data breach involving lost or stolen devices can increase the average cost from £95 to £110 (increased cost = +£15).

In a world with an increasing dependence on technology, the rapid user adoption of multiple devices as a way to conduct business productively has quickly become a reality for organizations. The notion of sitting behind a desk with a desktop computer has given way to laptops, tablets, smartphones, and other devices, whether they’re owned by the individual or provided by the organization. All of these devices present a sizeable challenge. For example, a population of 46,000 individuals on the network, each having five devices (some personal, some institution issued) creates 230,000 potential breach points, each of which could be a point of compromise.

Today, thanks to the BYOD trend, a myriad of options exist for accessing and sharing information in an organization. Laptops, tablets, shared workstations, USB keys and personal mobile devices all provide ways for users to access and share information and in most cases, sensitive information. The challenge facing IT is developing an effective strategy to manage, administer and secure these disparate, multi-platform devices so that “Bring your own Device”, doesn’t turn into “Bring your own Disaster.”

The good news is that this is a preventable issue. A Full Disk Encryption (FDE) solution can ensure that sensitive information isn’t exposed in the event that a laptop is lost or stolen. An ideal full disk encryption solution is comprised of two components, Key Management and Encryption and there is a very distinct line between these two components.

Data encryption has several advantages that enable organizations to comprehensively protect and secure data. Encrypting data provides protection for sensitive information whether it’s stored on a desktop or laptop, a smartphone, tablet, removable storage media, an email server or even the network, so in the event the device is lost or stolen, the information is protected.

Another advantage is that businesses run at their normal pace while the encryption solution silently secures critical data in the background. Some of the best data encryption options perform without the user even being aware.

Despite best efforts, data breaches can occur. Laptops and removable storage devices are prone to theft and loss. Data encryption protects critical assets if it falls into the wrong hands, and protects the integrity and credibility of your organization.

We have seen a lot of evolution of technology with OS vendors such as Microsoft and Apple adding encryption as a feature and now the availability of hardware based encryption such as Self-Encrypting Drives. However, one constant and most important aspect of data encryption security is key management.

Key management is the main cog in data security management that controls everything from authentication to identity management. How a device is encrypted is irrelevant if the proper key management is in place. While the devices are encrypted the important piece is how users gain access to secured information. The authentication piece of Key Management allows for the use of strong Pre-boot authentication that can take advantage of things like biometric security access, smart card and token access or even leverage the network itself as part of the authentication process. All of this is independent of the encryption engine on the device. It is about ensuring the right user is getting access to the right information with the proper authentication process.

Despite the obvious benefits of protecting your data using a full-disk encryption solution, you might hear comments like, “Why do we need all this security, we’ve got strong passwords. “ Or, “Data encryption – that’s going to put a massive strain on the IT department”. In fact, Staffordshire University’s response/defense to the affected parties was “the laptop was password protected”.

Unfortunately, these common misconceptions surrounding encryption are based on a misunderstanding of the technology or on outdated concepts. They persist, even among those who are generally knowledgeable about computers or technology. These myths sometimes cause decision makers and IT groups to argue against data encryption solutions, or to dismiss the technology altogether.

Going back to Staffordshire University’s case, their undertaking of a technical review of their security landscape is certainly a step in the right direction. However, by understanding how to address such misconceptions, organizations can be well armed when building the business case for data encryption.

The Site is open to the public. Therefore, consider your comments carefully and do not include anything in a comment that you would like to keep private. By uploading or otherwise making available any information to WinMagic in the form of user generated comments or otherwise, you grant Winmagic the unlimited, perpetual right to distribute, display, publish, reproduce, reuse and copy the information contained therein.

You are responsible for the content you post. You may not impersonate any other person through the blog. You may not post content that is obscene, defamatory, threatening, fraudulent, invasive of another person’s privacy rights, or is otherwise unlawful. You may not post content that infringes the intellectual property rights of any other person or entity. You may not post any content that contains any computer viruses or any other code designed to disrupt, damage, or limit the functioning of any computer software or hardware.

By submitting or posting content on the blog, you grant WinMagic and any company substantially under its control, the right to remove any content or comment that, in WinMagic’s sole judgment, does not comply with the posting guideline, the terms of this website or is otherwise objectionable. You also grant WinMagic and any company substantially under its control the right to modify, adapt, and edit any content.

Your use of this blog is subject to the terms of use of the website on which this blog is hosted blog.winmagic.com. Because WinMagic values your thoughtful opinions, we encourage you to add a comment to this discussion. However, please don’t be offended if we edit your comments for clarity or to keep out questionable matters, and we may even delete off-topic comments. Any opinions expressed within the blog are those of the author and not necessarily held by WinMagic itself. The information on this blog may be changed without notice and is not guaranteed to be complete, correct, timely, current or up-to-date. Similar to any printed materials, the information on this blog may become out-of-date. Winmagic undertakes no obligation to update any information on the blog; provided, however, that WinMagic may update the information on this blog at any time without notice in WinMagic’s sole and absolute discretion.